Packet handling based on user information included in packet headers by a network gateway

ABSTRACT

The technology disclosed herein enables packet handling based on user information included in packet headers. In a particular embodiment, a method provides, in a gateway to a network environment, establishing a first connection with a first connection endpoint outside of the network environment. The method further provides identifying first user information associated with the first connection and adding the first user information to a packet header of one or more first packets associated with the first connection. Also, the method provides transferring the one or more first packets into the network environment.

RELATED APPLICATIONS

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign ApplicationSerial No. 202041002785 filed in India entitled “PACKET HANDLING BASEDON USER INFORMATION INCLUDED IN PACKET HEADERS BY A NETWORK GATEWAY” onJan. 22, 2020, by VMWARE, Inc., which is herein incorporated in itsentirety by reference for all purposes.

TECHNICAL BACKGROUND

In many types of network arrangements, a gateway facilitates networktraffic from one side of the gateway to the other. For example, agateway may be configured to facilitate network traffic entering andexiting a network environment. A connection may be established betweenthe gateway and an external endpoint that is outside of the networkenvironment. When establishing that connection, the gateway may obtainuser information associated with the external endpoint. The gateway mayuse the user information to determine, for instance, which services orendpoints within the network environment the external endpoint isallowed to access. If communications from the external endpoint areallowed to enter the network environment, then the gateway creates aconnection to another system within the network environment over whichthe communications will be passed from the gateway. Once passed from thegateway into the network environment, the user information associatedwith the communications will be unavailable for use by networkingelements (e.g., interface cards, firewalls, routers, etc.) within thenetwork environment unless the gateway is somehow able to pass along theuser information.

SUMMARY

The technology disclosed herein enables packet handling based on userinformation included in packet headers. In a particular embodiment, amethod provides, in a gateway to a network environment, establishing afirst connection with a first connection endpoint outside of the networkenvironment. The method further provides identifying first userinformation associated with the first connection and adding the firstuser information to a packet header of one or more first packetsassociated with the first connection. Also, the method providestransferring the one or more first packets into the network environment.

In some embodiments, the one or more first packets comply with InternetProtocol version 4 and adding the first user information to the packetheader comprises including the first user information to an option typefield of the packet header. In some embodiments, the one or more firstpackets comply with Internet Protocol version 6 and adding the firstuser information to the packet header comprises including the first userinformation to an extension header of the packet header.

In some embodiments, the method includes establishing a secondconnection within the network environment using a transport protocol. Inthose embodiments, the one or more first packets may comprise handshakepackets exchanged during a handshake procedure for the transportprotocol.

In some embodiments, the one or more first packets comprise packetsreceived via the first connection.

In some embodiments, the first connection comprises a virtual privatenetwork (VPN) connection between the gateway and identifying the firstuser information comprises extracting the first user information fromencapsulation for the VPN connection. In some embodiments, identifyingthe first user information comprises obtaining the first userinformation during establishment of the VPN connection.

In some embodiments, the method provides implementing microsegmentationwithin the network environment based on the first user information inthe packet header. Implementing the microsegmentation may compriseenforcing policies at one or more packet network interfaces within thenetwork environment.

In another embodiment, an apparatus is provided having one or morecomputer readable storage media and a processing system operativelycoupled with the one or more computer readable storage media. Programinstructions stored on the one or more computer readable storage mediathat, when read and executed by the processing system, direct theprocessing system to establish a first connection with a firstconnection endpoint outside of the network environment. The programinstructions further direct the processing system to identify first userinformation associated with the first connection and add the first userinformation to a packet header of one or more first packets associatedwith the first connection. Also, the program instructions direct theprocessing system to transfer the one or more first packets into thenetwork environment.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an implementation for handling network traffic basedon user information in packet headers.

FIG. 2 illustrates an operation for handling network traffic based onuser information in packet headers.

FIG. 3 illustrates an operational scenario for handling network trafficbased on user information in packet headers.

FIG. 4 illustrates another implementation for handling network trafficbased on user information in packet headers.

FIG. 5 illustrates a logical network for handling network traffic basedon user information in packet headers.

FIG. 6 illustrates an operational scenario for handling network trafficbased on user information in packet headers.

FIG. 7 illustrates another operational scenario for handling networktraffic based on user information in packet headers.

DETAILED DESCRIPTION

The network gateways described herein pass user information into thenetwork environments for which the gateways are handling ingress andegress network traffic. Passing the user information into the networkenvironments allows components within the network environments toconsider the user information when determining how to handle the networktraffic. In the examples below, the user information is added to theheaders of packets associated with the network traffic (e.g., packetsthat comprise the network traffic or packets used to establish aconnection within a network environment for the network traffic). Addinguser information to a packet header allows network components (e.g.,network interfaces, routers, firewalls, etc.) to easily access the userinformation at a transport layer of the network traffic. That is, anetwork component needs merely read the packet header, as the networkcomponent typically would do anyway for other types of information(e.g., network addresses, packet size information, etc.), to retrievethe user information. The network component can then handle the packetbased on policies/rules that apply to the user information.

For example, a policy may indicate that only certain types of users areable to access a particular system within a network environment. Userinformation included in a header for a packet directed to thatparticular system allows a component enforcing that policy to easilydetermine whether the packet should be allowed to reach the system. Thecomponent simply reads the user information from the header anddetermines whether the user information indicates that the associateduser is able to access the system. Advantageously, the policy isenforced by the component without having to determine the userinformation through other means, such as by inspecting the payload of apacket (if possible) or otherwise receiving the user information througha separate channel outside the normal course of directing networktraffic associated with the user information into the networkenvironment.

FIG. 1 illustrates implementation 100 for handling network traffic basedon user information in packet headers. Implementation 100 includesgateway 101, endpoint 102, endpoint 103, and external network 104.Gateway 101 and endpoint 102 communicate over communication link 111.Gateway 101 and external network 104 communicate over communication link112. Communication links 111-113 may be direct links or may includeintervening systems or devices. Gateway 101 and endpoint 102 arenetworked systems that are part of network environment 121. Networkenvironment 121 may include any number of other networked computingsystems and/or devices. External network 104 comprises networkingsystems and devices outside of network environment 121 over whichexternal systems, such as endpoint 103 communicate with networkenvironment 121.

In operation, gateway 101 is a network gateway that facilitates networktraffic into and out of network environment 121. For network traffic toenter network environment 121, an external connection to gateway 101from external network 104 (e.g., a connection with endpoint 103)terminates at gateway 101. User information used by gateway 101 duringestablishment of the connection is added by gateway 101 to the headersof packets used to transfer the network traffic within networkenvironment 121 (e.g., packets used to establish a connection withgateway 101 internal to network environment 121 and/or packets thatcarry the network traffic within network environment 121). Componentscapable of reading packet headers within network environment 121 canthen be configured to read that user information for whatever reason anadministrator of network environment 121 sees fit (e.g., for packetrouting determinations).

FIG. 2 illustrates operation 200 for handling network traffic based onuser information in packet headers. In operation 200, gateway 101establishes a connection with endpoint 103, which is outside of networkenvironment 121 (201). The connection may be in any network transportprotocol, although secure transport protocols are preferable to helpensure the integrity of the user information discussed below. Forexample, the connection between gateway 101 and endpoint 103 may use asecure encapsulation protocol that creates a virtual private network(VPN) connection.

From the establishment of the connection with endpoint 103, gateway 101identifies user information associated with the connection (202). Theuser information may include any information associated with a user,such as a username, a real-world name, location, demographics, or anyother information that may be relevant to enforcing policies withinnetwork environment 121. The user information may be explicitly providedby endpoint 103 in conjunction with the establishment of the connection,may be obtained by gateway 101 from information explicitly provided byendpoint 103, and/or may be requested by gateway 101 in conjunction withthe connection. For example, the user information may be a username (orother credentials) provided by endpoint 103 during establishment of theconnection or gateway 101 may reference a database of usernames todetermine the real-world name of a user associated with the username.

Gateway 101 then adds the identified user information to a packet headerof one or more packets associated with the connection (203). The packetsmay be exchanged in any packet-based protocol that uses packet headersinto which gateway 101 can include the user information discussed above.Gateway 101 complies with the procedure, defined by whicheverpacket-based protocol is being used, for including additionalinformation in a packet header (e.g., the user information) beyond theinformation required by the packet-based protocol (e.g.,source/destination addresses, protocol version information, fragmentoffset information, etc.). In some cases, the protocol may indicate thatgateway 101 needs to modify the information in one or more of therequired fields in order to include the user information elsewhere inthe packet header. For example, a required field for a protocol's packetheader may indicate a number of additional fields being included in thepacket header beyond the protocol's required fields. Gateway 101 maymodify that required field to indicate that at least one additionalfield is being included in the packet header (i.e., a field for the userinformation). Another network element reading the packet header wouldtherefore be notified that the additional field(s) exist so that theincluded user information from gateway 101 can be read properly (orignored without adversely affecting packet handling in cases where thatother network element is not configured to use the user information).Two common packet exchange protocols are Internet Protocol (IP) version4 (IPv4) and IP version 6 (IPv6). Both IP versions include provisions toinclude additional information beyond that required by the protocol tobe inserted into their respective headers, as discussed in more detailbelow.

After adding the user information, gateway 101 transfers the one or morepackets into network environment 121 (204). In this example, the packetsare directed to endpoint 102. Endpoint 102 is a system with whichgateway 101 establishes, or attempts to establish, a communicationsession internal to network environment 121. In some examples, packethandlers within network environment 121, such as a firewall, router,load balancer, quality of service enforcer, etc., on communication link111 may read the user information from the packet headers and preventthe packets from reaching gateway 101 based on a policy of networkenvironment 121 (e.g., a policy that allows certain users or types ofusers to access endpoint 102). In those cases, a connection betweengateway 101 and endpoint 102 may be blocked from being established orcommunications exchanged on the connection after establishment may beblocked. In other examples, a network interface of endpoint 102 itselfmay read the user information and enforce a policy based on the userinformation. Regardless of which element(s) within network environment121 enforce a network policy, those elements do not require capabilities(e.g., payload inspection) to obtain the user information beyond readingthe user information from the packet headers as any other headerinformation may be read by the element(s).

Operation 200, therefore, allows user information obtained by gateway101 to be used within network environment 121 rather than being limitedfor use only by gateway 101. The user information is relevant withrespect to a first connection between gateway 101 and endpoint 103 (viauser information exchanged in association with the establishment of thatfirst connection) and a second connection (or attempted connection)between gateway 101 and endpoint 102 (via the user information beingadded to the packet headers within network environment 121). Should bothconnections be established, endpoint 103 and endpoint 102 exchangecommunications through gateway 101 on the two connections.

FIG. 3 illustrates operational scenario 300 for handling network trafficbased on user information in packet headers. Operational scenario 300includes gateway 301, endpoint 302, and endpoint 303. Gateway 301 is anexample of gateway 101, endpoint 302 is an example of endpoint 102,endpoint 303 is an example of endpoint 103, and network environment 321is an example of network environment 121. Gateway 301 receives a requestat step 1 to establish a connection with endpoint 303 over an externalnetwork (e.g., external network 104). Either in that initial request, orat some other point during negotiation for the requested connection,user information 331 is identified by gateway 301 at step 2. Asillustrated by operational scenario 300, endpoint 303 provides userinformation 331 to gateway 301, although other examples may have atleast a portion of user information 331 provided from elsewhere (e.g., auser information repository). In one example, user information 331 mayinclude user credentials (e.g., username, password, security token,etc.) that are supplied by endpoint 303 to gateway 301. Gateway 301 usesthe credentials to determine whether endpoint 303 is authorized toestablish the requested connection. For instance, gateway 301 may usethe credentials to determine whether endpoint 303 subscribes to aservice provided by systems in the network environment (e.g., networkenvironment 121) accessible through gateway 301.

After the requested connection is established between gateway 301 andendpoint 303, gateway 301 attempts to establish a connection withendpoint 302 within the. In particular, gateway 301 generates one ormore packets 332 at step 3 that carry a request for a connection withendpoint 302. For example, the packets may be part of a transmissioncontrol protocol (TCP) three-way handshake to establish a TCP connectionbetween gateway 301 and endpoint 302. When generating, or aftergenerating, packets 332, gateway 301 adds user information 331 to theheader of each respective packet of packets 332. After adding userinformation 331 to the header(s), gateway 301 requests a connection withendpoint 302 at step 5 by transferring packets 332 towards endpoint 302.In some examples, a network interface at endpoint 302 may read userinformation 331 from the headers of packets 332 and determine whetherthe connection with gateway 301 should be allowed based on userinformation 331. For example, a policy for network environment 321 mayindicate which users are allowed to access applications provided byendpoint 302 and endpoint 302 may enforce that policy by reading userinformation 331 from packets 332. If the connection is not allowed, thenendpoint 302 may simply drop packets 332 or may notify gateway 301 thatthe requested connection is denied. In alternative examples, a networkcomponent between endpoint 302 and gateway 301 may read user information331 from packets 332 and determine how packets 332 should be handledbased on policies of network environment 321. For instance, packets 332may be dropped, allowed to proceed, or redirected depending on thepolicies applied to user information 331 read from packets 332. Hadgateway 301 not passed user information 331 into network environment 321within the headers of packets 332, elements of network environment 321,such as endpoint 302, would not have been able to enforce policies onpackets 332 that apply to user information 331.

FIG. 4 illustrates implementation 400 for handling network traffic basedon user information in packet headers. Implementation 400 includes hostcomputing systems 421 and 431, network switch 460, gateway 461, externalnetwork 462, and endpoint 463. External network 462 is considered to beon the external side of gateway 461 and may comprise one or more localarea networks (LANs) and/or wide area networks (WANs), such as theInternet. In this example, endpoint 463 comprises a personal computer,laptop, tablet, or other type of user operated computing system that auser, such as a customer of services provided by host computing systems421 and 431, may use to access services provided by host computingsystems 421 and 431.

Host computing system 421 executes hypervisor 423 to allocate physicalcomputing resources 422 among virtual machines 401-403 Likewise, hostcomputing system 431 executes hypervisor 433 to allocate physicalcomputing resources 432 among virtual machines 404-406. Physicalcomputing resources 422 and 432 include processing resources (e.g.,processing circuitry, such as Central Processing Unit(s) (CPUs) and/orGraphics Processing Unit(s) (GPUs), Application Specific IntegratedCircuits (ASICs) etc.), memory resources including one or more computerreadable storage media (e.g., random access memory, read only memory,hard disk drive(s), flash memory, etc. while in no examples would astorage medium of the memory resources be a propagated signal), networkinterface circuitry, user interfaces, or any other type of computingresource that a physical computing system may include.

Each of virtual machines 401-406 includes a respective guest operatingsystem (OS) 411-416 executing thereon. Each of virtual machines 401-406further provide respective virtualized network interface cards (VNICs)441-446 that exchange communications on behalf of their respective guestOSs 411-416. Hypervisor 423 includes router instance 451 and hypervisor433 includes router instance 452. Router instances 451 and 452 executeto create a logical overlay network between VNICs 441-446 and gateway461, as discussed below with respect to logical network 500.

Gateway 461 includes communication circuitry for exchangingcommunications with external network 462 and network switch 460. Gateway461 also includes processing circuitry that enables gateway 461 toperform as described below. In some examples, gateway 461 may includeone or more computer readable storage media that stores programinstructions that the processing circuitry reads and executes to performas described below. The storage media may include random access memory,read only memory, hard disk drive(s), flash memory, and/or some othertype of memory device. In no examples would a computer readable storagemedium be a propagated signal. In some examples, gateway 461 may bevirtualized, such as within one of virtual machines 401-406.

It should be understood that the distribution virtual machines 401-406evenly across two host computing systems, as shown in FIG. 4, is merelyexemplary. Virtual machines 401-406 shown are representative of anynumber of virtual machines that may be implemented on any number of hostcomputing systems.

Host computing system(s) 441 have similar structure to that of hostcomputing systems 421, 431. As such, host computing system(s) 441 maysimilarly host one or more virtual machines via respective hypervisors.For example, as additional virtual machines are needed based on demandfor a service provided by the virtual machines, then the additionalvirtual machines may be instantiated on one or more of host computingsystem(s) 441.

FIG. 5 illustrates logical network 500 for handling network trafficbased on user information in packet headers. Logical network 500includes network environment 521 for which gateway 461 facilitates theingress and egress of communications. Network environment 521 comprisesa logical overlay network generated by router 550. Router 550effectively acts as a single routing element even though routerinstances 451 and 452 execute on different hypervisors 423 and 433 toimplement router 550. Packets exchanged between VNICs 441-446 andbetween VNICs 441-446 and gateway 461 are routed through router 550.

In this example, VNICs 441-446 are tasked with enforcing routingpolicies of network environment 521 that enables microsegmentation ofguest OSs 411-416 within network environment 521. Microsegmentationallows the logical overlay network within network environment 521 to besubdivided into smaller segments depending on various predefinedcriteria of network traffic. For example, microsegmentation policies innetwork environment 521 may prevent guest OS 411 from communicating withguest OS 415. In that case, if VNIC 445 recognized received packets ashaving been transferred from VNIC 441 (e.g., by recognizing the sourceaddress in the packets' header), then VNIC 445 may drop the packetsrather than passing the data therein to guest OS 415. Networkenvironment 521, as discussed further below, enables themicrosegmentation, or other policies, therein to be based on userinformation appended to packet headers by gateway 461.

While VNICs 441-446 enforce network policies based on packet headerinformation in this example, it should be understood that other networkcomponents may be used for at least a portion of that enforcement. Forinstance, one or more firewall components may be placed between gateway461 and VNICs 441-446. In other examples, other types of policies, suchas quality of service policies, may be enforced based on the userinformation supplied by gateway 461. Other types of network componentswithin network environment 521 may also be configured to read the userinformation added to packets by gateway 461, as discussed below, andhandle those packets in some manner based on the user information.

FIG. 6 illustrates operational scenario 600 for handling network trafficbased on user information in packet headers. In operation, endpoint 463is instructed by its user to initiate a communication with gateway 461to access a service provided by network environment 521. For example,network environment 521 may provide virtual desktop services toendpoints that connect to network environment 521 through gateway 461.Specifically, each of guest OSs 411-416 may comprise operating systemsthat provide their desktop user interfaces from network environment 521over external network 462. Those user interfaces are operated viaendpoints, such as endpoint 463 over external network 462 (e.g., thevirtual desktop from network environment 521 may be displayed andmanipulated through a display window of an endpoint's user interface).

In response to the user instruction, endpoint 463 contacts gateway 461and provides user information 601 at step 1 to gateway 461. Userinformation 601 at least identifies the user of endpoint 463 to gateway461. Gateway 461 determines whether the user of endpoint 463 isauthorized to access network environment 521 at step 2. Gateway 461 mayaccess information (e.g., a list of service subscribers) stored ingateway 461, or in some other repository, to determine whether the useridentified by user information 601 is authorized to access networkenvironment 521. In some cases, gateway 461 may perform theauthorization process based solely on the user identity provided in userinformation 601. However, in other (likely most) cases, endpoint 463 mayfurther provide user credentials (e.g., password, security token, etc.)to gateway 461 that gateway 461 uses to authenticate that the user ofendpoint 463 is who they are purporting to be. In some examples, thosecredentials may be considered as included in user information 601,although, once the user has been authenticated, only the user's identitymay be relevant within network environment 521 (i.e., the user may notneed to be authenticated again once allowed through gateway 461 intonetwork environment 521). Once gateway 461 determines that the user ofendpoint 463 is authorized to access network environment 521, gateway461 establishes a secure VPN connection at step 3 with endpoint 463. If,in other examples, gateway 461 did not authorized the user of endpoint463, then the VPN connection would not be created and endpoint 463 wouldnot be allowed to communicate with network environment 521 throughgateway 461.

After the VPN connection between gateway 461 and endpoint 463 has beenestablished, gateway 461 determines at step 4 that endpoint 463 shouldbe provided service by guest OS 415. Gateway 461 may select guest OS 415randomly, based on selection criteria, by querying another system, orusing some other manner of selection—including combinations thereof. Forexample, gateway 461 may query an OS selection system (not shown) aboutwhich guest OS should service endpoint 463.

Regardless of how guest OS 415 is selected, after selection, gateway 461establishes a TCP connection with VNIC 445, which is the VNIC for guestOS 415, over which IP packets can be exchanged between VNIC 445 andgateway 461. To establish the TCP connection, gateway 461 generates oneor more IP packets 602 at step 5 that will be used to initiate athree-way handshake with VNIC 445 in accordance with TCP. Whengenerating IP packets 602, gateway 461 adds user information 601 to therespective packet headers of IP packets 602. User information 601 may beadded unmodified from what was received from endpoint 463 or gateway 461may modify user information 601 for the purposes of adding userinformation 601 to the packet headers and/or to comply with the type ofinformation relevant within network environment 521. For example, whilea username in user information 601 from endpoint 463 may have identifiedthe user of endpoint 463 to gateway 461, that username may not berelevant within network environment 521. Instead, element reading IPpacket headers in network environment 521 may expect a real-world nameof the user. Gateway 461 may, therefore, include the real-world name ofthe user in user information 601 in place of, or in addition to, theusername received from endpoint 463. Similarly, in some cases, theidentity of the specific user may not be necessary, but the type of useris (e.g., the user's purchased service level) and user information 601may be modified by gateway 461 to indicate the type of user. In someexamples, gateway 461 may need to reduce the size of user information601 to enable user information 601 to fit in a limited amount of spaceallowed by an IP packet header. In further examples, gateway 461 may addadditional information to user information 601 that may be relevantwithin network environment 521. For instance, gateway 461 may be able todetermine the geographic location of endpoint 463 based on the IPaddress of endpoint 463 used for the VPN connection. Since the VPNconnection is terminated at gateway 461, components within networkenvironment 521 would be unaware of that IP address to determine thegeographic location of endpoint 463 on their own. Gateway 461 may,therefore, include an indicator of the geographic location within userinformation 601 that is added to the headers of IP packets 602.

After generating IP packets 602, gateway 461 transfers IP packets 602 toVNIC 445 to initiate the three-way handshake at step 6 with VNIC 445.Upon receiving IP packets 602, VNIC 445 reads user information 601 anddetermines, based on user information 601 at step 7, whether a TCPconnection with VNIC 445 should be authorized. In this example, the TCPconnection is authorized and then established between gateway 461 andVNIC 445 at step 8. In other examples, VNIC 445 may determine that theTCP connection is not authorized and operational scenario 600 would notproceed to step 8 in that case. To determine whether to authorize theTCP connection, a management plane for virtual machines 401-406 mayprovide VNIC 445 may with a set of rules or policies that should beapplied to user information found in received packets. For example, thepolicies may indicate which types of users (e.g., users of a givenservice level) should be allowed to connect and from what geographiclocations those users are allowed to connection from. VNIC 445 maytherefore obtain the type of user and the geographic location ofendpoint 463 from reading user information 601 from the headers of IPpackets 602. In this example, the user of endpoint 463 and endpoint463's geographic location indicate that endpoint 463 should be allowedto connect to VNIC 445 through gateway 461 based on the policies used byVNIC 445.

Once the TCP connection is established between gateway 461 and VNIC 445,there are now two distinct connections on the communication bath betweenendpoint 463 and VNIC 445. The VPN connection between endpoint 463 andgateway 461 and the TCP connection between gateway 461 and VNIC 445within network environment 521. IP packets 603 are transferred fromendpoint 463 to gateway 461 at step 9 over the VPN connection. IPpackets 603 include data 604, which comprises data directed to guest OS415 for the purposes of guest OS 415 providing a service to endpoint 463(e.g., the virtual desktop from the example above). IP packets 603 arethen transferred from gateway 461 to VNIC 445 at step 10 over the TCPconnection. Upon receipt of IP packets 603, VNIC 445 passes data 604carried by IP packets 603 at step 11 into guest OS 415.

In some examples, gateway 461 may include user information 601 in theheaders of IP packets 603. The inclusion of user information 601 in theheaders of IP packets 603 may be in addition to or instead of includinguser information 601 in IP packets 602, as discussed above. If userinformation 601 is included in IP packets 603 rather than in IP packets602, the TCP connection may be established regardless of userinformation 601 and VNIC 445 determines whether subsequent packets(e.g., IP packets 603) transferred over the TCP connection should beallowed to pass into guest OS 415 by applying policies/rule to userinformation 601 therein. Even if user information 601 is alreadyincluded in IP packets 602, user information 601 may change over time.For example, endpoint 463 may be a mobile device that can move betweengeographic locations. Gateway 461 may change the geographic locationindicated in user information 601 as endpoint 463 moves. Upon readinguser information 601 with the new geographic location from one or moreof IP packets 603, VNIC 445 may determine that data 604 should no longerbe passed to guest OS 415 due to the new geographic location runningafoul of a policy. In that example, VNIC 445 may also stop all outgoingtraffic from guest OS 415 directed to endpoint 463 and/or may disconnectthe TCP connection between gateway 461 and VNIC 445.

In some examples, VNIC 445 may add user information 601 received in IPpackets 603 to outgoing packets associated with endpoint 463. Forexample, guest OS 415 may communicate with guest OS 412 while providingservice to endpoint 463. Packets setting up a TCP connection and/orcarrying data being transferred from guest OS 415 to guest OS 412 willhave user information 601 included in their headers by VNIC 445. VNIC442 can then read user information 601 to determine whether the packetsreceived from VNIC 445 in association with a service being provided toendpoint 463 should be allowed based on network policies/rules, therebyfurther microsegmenting network environment 521 based on userinformation 601.

FIG. 7 illustrates operational scenario 700 for handling network trafficbased on user information in packet headers. Operational scenario 700 isan example of how communications received by gateway 461 from endpoint463 over the VPN connection is handled by gateway 461. In this example,packets transferred to VNIC 445 by gateway 461 over the TCP connection(e.g., IP packets 603) use IPv6. IPv6 packet 701 is an example of one ofthose IP packets.

In this example, IPv6 packet 701 is encapsulated at endpoint 463 intoVPN encapsulation 731 for transfer over the VPN connection betweenendpoint 463 and gateway 461. VPN encapsulation 731 comprises at leastanother packet header on top of header 703 for IPv6 packet 701 but, inmost cases, VPN encapsulation 731 also encrypts IPv6 packet 701 toprotect against unwanted access to IPv6 packet 701. Upon receiving IPv6packet 701 in VPN encapsulation 731, gateway 461 removes VPNencapsulation 731 at step 1 from IPv6 packet 701 (e.g., removes the VPNheader and decrypts the VPN's encryption of IPv6 packet 701).

Once VPN encapsulation 731 is removed, gateway 461 adds user information721 at step 2 to header 703. User information 721 is an example of userinformation 601 from operational scenario 600. In particular, header 703has fixed header 711 in accordance with IPv6. Fixed header 711, like allfixed headers in IPv6, is 40-bytes in length and includes 8 predefinedfields. A “next header” field within those 8 predefined fields indicateswhether an extension header exists and, if so, what type of extensionheader exists. In examples, where no extension header exists, the nextheader field points to an upper layer (UL) header (e.g., a header forTCP, Internet Control Message Protocol, User Datagram Protocol, etc.)that every IPv6 packet includes but is not shown in this example). Inthis example, extension header 712 did not exist when IPv6 packet 701was received by gateway 461 in VPN encapsulation 731. Thus, upon receiptof IPv6 packet 701, the next header field of IPv6 packet 701 indicatedthe UL header.

To add user information 721 to header 703, gateway 461 adds extensionheader 712 to header 703. Consequently, gateway 461 also edits the nextheader field of fixed header 711 to indicate the existence of extensionheader 712. When indicating the existence of extension header 712, thenext header field indicates the type of extension header being used. Inthis case, one or both of types 253 and 254, which are reserved forexperimentation and testing, may be used for user information 721 andindicated in the next header field of fixed header 711. Once userinformation 721 has been added to extension header 712, as describedabove, IPv6 packet 701 is passed by gateway 461 into network environment521. Components within network environment 521, such as VNICs 441-446,can read user information 721 from extension header 712 and treat IPv6packet 701 in accordance with rules/policies applied to user information721. User information 721 does not need to be obtained in other manners,such as though inspecting payload 702 of IPv6 packet 701, if any ofthose other manners are even possible.

In this example, IPv6 packet 701 and its payload 702 remain constantfrom VPN encapsulation 731 through having extension header 712 with userinformation 721 added thereto. In other examples, gateway 461 mayextract payload 702 and create one or more new packets with extensionheaders having user information 721. For instance, payload 702 may bedivided among multiple new packets or may be combined with payloads fromother VPN encapsulated packets into one or more new packets. In someexamples, header 703 may already include one or more extension headersof one or more types to which gateway 461 will add extension header 712of types 253 and/or 254 in order to include user information 721. Inthose examples, the next header field of fixed header 711 will indicatea first extension header in an order defined by IPv6 and that firstextenuation header will have another next header field that directs to asubsequent extension header in the order (not all extension header typesneed be present but the order of one type coming before another is stillmaintained). This linked list type format continues until extensionheader 712 is reached (last in the defined order) and the next headerfield indicates the UL header, which is also the case when extensionheader 712 is the only extension header.

Operational scenario 700 focuses on adding user information 721 to IPv6packets using the fixed and extension headers provided by IPv6. Inanother example, IPv4 packets may be used. IPv4 provides 13 predefinedfields for packet headers complying with the protocol. While IPv4headers do not include extension headers like IPv6, IPv4 headers mayinclude an optional 14th field, commonly called the “options” field. The13 predefined fields of an IPv4 header include an Internet Header Length(IHL) field. The IHL field indicates the size of the IPv4 header in32-bit word increments. The minimum value for the IHL field is 5, whichindicates that the minimum size for an IPv4 header without the optionsfield is 160-bits. The maximum value for the IHL field is 15, whichallows for the options field to include up to 320-bits of information.Gateway 461 would modify the IHL field to indicate an options fieldlarge enough to include user information 721 without going over 320-bits(assuming no other information is in the options field).

The descriptions and figures included herein depict specificimplementations of the claimed invention(s). For the purpose of teachinginventive principles, some conventional aspects have been simplified oromitted. In addition, some variations from these implementations may beappreciated that fall within the scope of the invention. It may also beappreciated that the features described above can be combined in variousways to form multiple implementations. As a result, the invention is notlimited to the specific implementations described above, but only by theclaims and their equivalents.

What is claimed is:
 1. A method of passing information about a user intoa network environment from a gateway to the network environment, themethod comprising: in the gateway: establishing a first connection witha first connection endpoint outside of the network environment;identifying first user information associated with the first connection;adding the first user information to a packet header of one or morefirst packets associated with the first connection; and transferring theone or more first packets into the network environment.
 2. The method ofclaim 1, wherein the one or more first packets comply with InternetProtocol version 4 and wherein adding the first user information to thepacket header comprises: including the first user information to anoption type field of the packet header.
 3. The method of claim 1,wherein the one or more first packets comply with Internet Protocolversion 6 and wherein adding the first user information to the packetheader comprises: including the first user information to an extensionheader of the packet header.
 4. The method of claim 1, furthercomprising: in the gateway, establishing a second connection within thenetwork environment using a transport protocol.
 5. The method of claim4, wherein the one or more first packets comprise handshake packetsexchanged during a handshake procedure for the transport protocol. 6.The method of claim 1, wherein the one or more first packets comprisepackets received via the first connection.
 7. The method of claim 1,wherein the first connection comprises a virtual private network (VPN)connection between the gateway and wherein identifying the first userinformation comprises: extracting the first user information fromencapsulation for the VPN connection.
 8. The method of claim 1, whereinthe first connection comprises a virtual private network (VPN)connection between the gateway and wherein identifying the first userinformation comprises: obtaining the first user information duringestablishment of the VPN connection.
 9. The method of claim 1, furthercomprising: implementing microsegmentation within the networkenvironment based on the first user information in the packet header.10. The method of claim 9, wherein implementing the microsegmentationcomprises: enforcing policies at one or more packet network interfaceswithin the network environment.
 11. An apparatus for passing informationabout a user into a network environment from a gateway to the networkenvironment, the apparatus comprising: one or more computer readablestorage media; a processing system operatively coupled with the one ormore computer readable storage media; and program instructions stored onthe one or more computer readable storage media for a network trafficoptimizer that, when read and executed by the processing system, directthe processing system to: establish a first connection with a firstconnection endpoint outside of the network environment; identify firstuser information associated with the first connection; add the firstuser information to a packet header of one or more first packetsassociated with the first connection; and transfer the one or more firstpackets into the network environment.
 12. The apparatus of claim 11,wherein the one or more first packets comply with Internet Protocolversion 4 and wherein to add the first user information to the packetheader, the program instructions direct the processing system to:include the first user information to an option type field of the packetheader.
 13. The apparatus of claim 11, wherein the one or more firstpackets comply with Internet Protocol version 6 and wherein to add thefirst user information to the packet header, the program instructionsdirect the processing system to: include the first user information toan extension header of the packet header.
 14. The apparatus of claim 11,wherein the program instructions further direct the processing systemto: establish a second connection within the network environment using atransport protocol.
 15. The apparatus of claim 14, wherein the one ormore first packets comprise handshake packets exchanged during ahandshake procedure for the transport protocol.
 16. The apparatus ofclaim 11, wherein the one or more first packets comprise packetsreceived via the first connection.
 17. The apparatus of claim 11,wherein the first connection comprises a virtual private network (VPN)connection between the gateway and wherein to identify the first userinformation, the program instructions direct the processing system to:extract the first user information from encapsulation for the VPNconnection.
 18. The apparatus of claim 11, wherein the first connectioncomprises a virtual private network (VPN) connection between the gatewayand wherein to identify the first user information, the programinstructions direct the processing system to: obtain the first userinformation during establishment of the VPN connection.
 19. Theapparatus of claim 11, wherein the program instructions further directthe processing system to: implement microsegmentation within the networkenvironment based on the first user information in the packet header,wherein the microsegmentation includes enforcing policies at one or morepacket network interfaces within the network environment.
 20. One ormore computer readable storage media having program instructions storedthereon for passing information about a user into a network environmentfrom a gateway to the network environment, the program instructions,when read and executed by a processing system, direct the processingsystem to: establish a first connection with a first connection endpointoutside of the network environment; identify first user informationassociated with the first connection; add the first user information toa packet header of one or more first packets associated with the firstconnection; and transfer the one or more first packets into the networkenvironment.